Revision as of 00:56, 24 June 2010

Contents

Introduction

ZBFW is a feature set of IOSFW where we assign the router interfaces into different zones depending upon the requirement. This way we are applying inspection to the traffic moving between zones not interfaces. While using ZBFW we have more flexibility as compared to CBAC.In CBAC we configure inspection policies with ACL rules to define the IOSFW feature set however these inspection policies and ACL rules are applicable to all the traffic leaving or entering a respective interface of the router. In ZBFW we can use object-groups or ACLS to perform inspection of interested traffic along with class-maps and policy-maps which in turns provide more flexibility as compared to CBAC.Also multiple inspection rules and ACL on several interfaces of router make it more difficult to correlate the policies that will be applied to traffic flow between multiple interfaces as in case of CBAC.

ZBFW offers following features

Application inspection

Statefull inspection

Local URL filtering

Transparent firewall

Things to remember about ZBFW

The policies configured from one zone to another are unidirectional in nature.

By default the traffic flow between the inter-zones is “DENY ALL”.

By default the traffic flow to or from “SELF” zone to another zone is “ALLOW ALL” and we can restrict the same with the help of class-maps along with respective actions.

By default the traffic flow between the intra-zones is “Allow ALL” and we can’t restrict or apply any kind of inspection to the same.

An interface can be assigned to only one security zone.

Traffic cannot flow between a zone-member interface and any interface which is not a *zone-member, so that means every interface should be assigned to a zone.

We can apply multiple classes along with respective action per zone-pair.

Steps to configure ZBFW

Identify and define network zones.

Determine the traffic flow between the respective zones.

Define class-maps to describe traffic between zones.

Associate class-maps with policy-maps to define actions to the respective traffic flow.

Set up zone pairs for any policy other than deny all.

Assign policy-maps to zone-pairs.

Now assign interfaces to zones.

The final step would be validate the configuration by passing some interested traffic.